Tag Archives: once

Mobile spyware company mSpy has once again leaked millions of customer records to the public internet.

The company develops mobile spyware that customers use to monitor the mobile device activity of their children, partners and others. Security researcher Nitish Shah discovered the mSpy leak via a public-facing database and reached out to cybersecurity journalist Brian Krebs, who first reported the leak.

Krebs looked into the mSpy leak and said no authentication was required to access the database. The customer data included passwords, call logs, text messages, contacts, notes and location data — all of which was compiled by the mSpy spyware — and there were millions of records. Additionally, there were records containing the username, password and private encryption key of every mSpy customer who was active in the last six months. The database also included the Apple iCloud usernames and authentication tokens of the Apple devices running mSpy.

According to Krebs, anyone who accessed the database would be able to see WhatsApp and Facebook messages that were also compiled by mSpy.

Krebs also noted that the transaction details of all mSpy licenses purchased within the last six months were exposed, and that included customer names, email addresses and mailing addresses. Additionally, there was browser and internet address information from users visiting the mSpy website.

The exposed database was taken offline this week. But Shah told Krebs the company’s support people ignored him when he tried to alert them of the mSpy leak and asked to be directed to their head of technology or security. After Shah contacted Krebs, Krebs reached out to mSpy as well, with only slightly better results. The chief security officer of mSpy said the company was aware of the issue and was working on it.

In response to Krebs’ article, mSpy issued a statement in which it acknowledged there was an incident, but denied that millions of records had been exposed.

This isn’t the first mSpy leak in recent years. In 2015, Krebs also reported a data leak after mSpy was hacked and customer data was posted on the dark web. In that breach, the information of over 400,000 was estimated to be exposed, and mSpy “initially denied suffering a breach for more than week,” according to Krebs, despite customers confirming their data was part of the exposed cache.

In other news:

The FIDO Alliance has launched a certification program for biometrics. “Biometric user verification has become a popular way to replace passwords and PINs, but the lack of an industry-defined program to validate performance claims has led to concerns over variances in the accuracy and reliability of these solutions,” the FIDO Alliance said. The certification, called the Biometric Component Certification Program, is designed for both users and providers. For enterprises, FIDO said, “it provides a standardized way to trust that the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition can reliably identify users and detect presentation attacks.”

More than 7,500 MikroTik routers were infected with malware, according to researchers from Qihoo 360 Netlab. The malware logs and transmits network traffic information to servers under the hackers’ control. The researchers found the routers were infected by the malware through an exploit of a vulnerability disclosed in the Vault7 leaks of alleged CIA hacking tools. The vulnerability, tracked as CVE-2018-14847, was patched in April. The researchers noticed the malicious activity on their honeypot systems in July specifically aimed at MikroTik routers. The largest number of routers affected by CVE-2018-14847 exploits were in Russia, as well as Iran, Brazil, India and Ukraine.

Hackers have compromised the MEGA Chrome extension — which is used for secure cloud storage — to steal login credentials and cryptocurrency keys, according to researchers. First discovered by an anonymous researcher called SerHack, the malicious version of the browser extension monitors for usernames and passwords in login forms on Amazon, Microsoft, GitHub and Google, and then it sends the credentials to a host in Ukraine. It also scanned for URLs relating to cryptocurrency sites, and then it would try to steal that login data, as well. The malicious version of the MEGA Chrome extension was put in place at some point after Sept. 2, and Google has already taken it down. There’s no evidence the Firefox version of MEGA has been compromised. Chrome users of the MEGA extension should remove it immediately and change all account passwords.

Poor patching practices by vendors and users are once again coming back to bite users around the world, as a researcher discovered a cryptominer being spread to unpatched MikroTik routers.

The Coinhive malware was first found spreading through routers in Brazil. Simon Kenin, security researcher for Trustwave, based in Chicago, discovered the Coinhive malware infection originating from Brazil and first assumed it was a more common website compromise attack to inject the cryptomining code. But more digging revealed the infection was spreading through MikroTik routers.

Kenin said malicious actors were exploiting a vulnerability in the routers that MikroTik had patched in April — just one day after the flaw was first discovered.

“The exploit targets Winbox and allows the attacker to read files from the device … but the bottom line is that using this exploit you can get unauthenticated remote admin access to any vulnerable MikroTik router,” Kenin wrote in his analysis. “Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.”

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, based in Sunnyvale, Calif., noted that MicroTik has deployed approximately 1.7 million units around the world — “mostly in Brazil, China, Russia and Indonesia” — and explained why the victims may not have patched.

“Most routers, unfortunately, lack the ability to auto-update, and very few users, especially home users, know how or when to patch the firmware on their router,” Hahad wrote via email. “One of the biggest failures of security vendors that provide small-office [or] home-office routers is not including an auto-update feature by default, regardless of the technical difficulties lying around potentially taking the router offline during the update process.”

Chris Olson, founder and CEO of The Media Trust, based in McLean, Va., agreed infections like the Coinhive malware could prey on poor patching habits.

“The average user will likely plug in their router and forget about it until something goes awry,” Olson wrote via email. “Routers are like electricity and water: Unless service is disrupted, they receive little to no attention. Because they are often ignored, they make the perfect attack vector.”

Coinhive malware infections

Routers are like electricity and water: Unless service is disrupted, they receive little to no attention. Because they are often ignored, they make the perfect attack vector.Chris OlsonCEO, The Media Trust

Kenin said the Coinhive malware creates and injects a custom error page for every webpage visited by a user through an infected router.

“So if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine CoinHive for the attacker,” Kenin wrote. “The backend Apache server is connected to the router as well, and somewhere along the way there was an error and it was displayed to me, miner included. What this means is that this also impacts users who are not directly connected to the infected router’s network, but also users who visit websites behind these infected routers. In other words, the attack works in both directions.”

Experts noted that this method of spreading the Coinhive malware to every site visited was unusual.

“However, it does combine well-known exploit mechanisms, though in a novel way that is well-suited to the practice of cryptojacking,” Newman wrote via email. “And, in this case, we’re not talking about cheap IoT devices with vulnerabilities which are never addressed by the vendor. In this case, the routers were exploited to deliver a cryptomining payload, but the same approach could have just as easily leveraged them for other objectives.”

Olson agreed this method of spreading malware would be more common with the creation of a botnet, and Hahad noted the Coinhive malware might not be the most efficient way of cryptomining.

“Every browser tends to have several open tabs that connect to several sites at once. Duplicating the Coinhive mining script so heavily would bring any computer to its knees in seconds, defeating the very purpose of the attack,” Hahad wrote. “Once tweaked to only inject error pages, the issue was mitigated. But, again, the effectiveness is now dramatically reduced, because people do not hit error pages very often. In my opinion, this shows it is the work of a script kiddie with not much hacking experience.”

Sen. Ron Wyden (D-Ore.) is once again advocating in favor of better cybersecurity for the U.S. government in a new letter asking that all government domains stop Adobe Flash use.

Adobe Flash has long been under fire from the infosec community for security risks, and major web browsers have been moving away from the platform in favor of HTML5, leading Adobe to announce that the end-of-life date for Flash will come in 2020.

Sen. Wyden addressed the letter to Kirstjen Nielsen, secretary of the Department of Homeland Security (DHS); Walter Copan, undersecretary of Commerce and director of the NIST; and Paul Nakasone, director of the NSA and commander of U.S. Cyber Command, advocating that the government stop Adobe Flash use.

Wyden asked that these three agencies collaborate to stop Adobe Flash use in government “in light of its inherent security vulnerabilities and impending end-of-life.”

“The federal government has too often failed to promptly transition away from software that has been decommissioned. In just one example, agencies were forced to pay millions of dollars for premium Microsoft support after they missed the deadline to transition away from Windows XP at its end-of-life in 2014, even though the technology’s last major update had been six years prior,” Wyden wrote in the letter. “The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020.”

Chris Olson, CEO and founder of The Media Trust, a digital media risk management company based in Maclean, Va., noted that the reason government agencies tend to fail at these transitions is due to budgets.

“Government budgets are strapped. As a result, they tend to retain legacy systems, software, and machines that take time to patch and update. The budget issue is worse for state, municipal, and other local government entities,” Olson wrote in an email. “The situation won’t change anytime soon, so agencies should continuously scan their websites and mobile apps in real-time for any unauthorized actors and activities.”

Wyden noted that DHS, NIST and the NSA “provide the majority of cybersecurity guidance to government agencies,” but none have issued public guidance calling for agencies to stop Adobe Flash use.

Wyden suggested a three-step plan to stop the deployment of new Flash-based content within 60 days, remove Flash from some agency computers by March 2019, and then require the removal of all Flash content from websites by August 2019.

Olson applauded the multistaged approach to having government agencies stop Adobe Flash use.

“Flash is just the tip of the iceberg. There are a growing number of other attack vectors, including HTML5, a variety of content management systems, browsers, etc. Any organization will need to keep up with the various developments that are being nurtured in the underground economy of cybercrime,” Olson wrote. “Agencies and any organization with digital assets will need to work closely with their third parties to enforce security policies, police what code is being executed in their digital ecosystems with the help of continuous, real-time scanning, and root out unauthorized actors and code.”

I also have a tube of liquid pro that just a small blip has been used from for £6.00

Will upload photos later today…

Price and currency: 30.00Delivery: Delivery cost is included within my countryPayment method: PPG or BTLocation: MalvernAdvertised elsewhere?: Advertised elsewherePrefer goods collected?: I have no preference

______________________________________________________This message is automatically inserted in all classifieds forum threads.By replying to this thread you agree to abide by the trading rules detailed here.Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

Landline telephone number. Make a call to check out the area code and number are correct, too

Name and address including postcode

Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

It will be easier for someone recruiting on LinkedIn to poach talent once the social network giant releases its new analytics platform near the end of September. This may seem startling, but LinkedIn is not shying away from this outcome.

The platform, LinkedIn Talent Insights, is intended to simplify the ability of recruiters to get competitive intelligence and target potential candidates. Users will be able to look at, for instance, the number of software engineers employed by a firm, parse it down by city, see the growth in hiring and note the attrition rate.

In beta testing for LinkedIn Talent Insights, some of the participating users were able to identify firms in some markets that have people with sought-after skill sets, such as software engineers, and then target them. The workers can then be identified using tools for recruiting on LinkedIn.

Poaching talent questioned

Eric Owski, the head of product for Talent Insights at LinkedIn, outlined the forthcoming tool at the recent Society for Human Resource Management conference in Chicago. Before his audience, he used a live demo to demonstrate, in minutes, how to assemble a competitive analysis.

During an audience Q&A, one woman in attendance asked Owski about the ethics of using this analytics tool to raid a competitor.

The world is becoming more transparent.Eric Owskihead of product for Talent Insights, LinkedIn

The attendee asked: “Does that set up an environment for poaching talent?” And then she immediately answered her own question. “I think the answer is yes. And so why would I sign off on that?”

Owski agreed that using the new tool for recruiting on LinkedIn made poaching possible but argued that there was nothing wrong with making this data available.

Internally, the LinkedIn team on the project had many “philosophical” discussions about the use of this data, Owski said. But the team concluded that “the world is becoming more transparent,” and “very sophisticated teams at large companies were able to figure out a lot of the calculations that we’re making available in this product,” he said.

“We think by packaging it up nicely, it levels the playing field,” Owski said. “We feel like we’re on safe ground.”

LinkedIn draws line on available data

But LinkedIn is drawing a line on what data it makes available.

Owski said LinkedIn can determine with up to 93% accuracy the gender diversity of workers at a firm by analyzing the first name. But the company isn’t making company-specific gender data available in the search tool because it is “very highly sensitive data” that can open up questions of discrimination. LinkedIn will make that information available at a market or broader level.

LinkedIn Talent Insights uses data from its 560 million global members. The site has 15 million open jobs at any given time and some 23,000 standardized job titles that it recognized. The analytics platform is global and not dependent on government data, Owski said.

The tool’s ease of use was a key point for Owski. The interface appeared to be no more complicated than the advanced search feature on Google. It asked the user to input skills to include and exclude job title, location and industry. It then quickly produced a list of firms with employees who have those skills, hiring trends and attrition rate.

One attendee, Kevin Cottingim, senior vice president of HR at Employbridge, a staffing firm, said in an interview he was “excited” about trying the analytics platform for recruiting on LinkedIn.

Cottingim said his firm has 500 branches around the country and the recruiting analytics tool will help them understand if there are more positions available than candidates in any given market. With that data, he can strategize his plans for more targeted advertising, as well as consider paying a salary premium.

In terms of seeing the attrition rates at other firms, Cottingim said, “I would love to be able to benchmark that against my competitors.”

Quality of data questioned

Some in the audience raised questions about the quality of the data, and whether, for instance, profile changes are a good enough indicator of attrition. An attendee asked if LinkedIn continued to appeal to a full demographic range of people, particularly millennials.

Owski said there’s a potential for noise in the data, but he believes they have enough representation of professionals to “cancel out the noise.”

As far as competitors to LinkedIn, Owski said, unlike Facebook, it doesn’t have Snapchat-type rivals. Some industry observers believe Snapchat, which tends to appeal to younger users, is a potential Facebook threat. Owski’s point is that LinkedIn doesn’t have similar competitors.

Product pricing will be available in July, and the vendor may bundle LinkedIn Talent Insights for people who are already recruiting on LinkedIn. An upcoming feature will be an API that allows users to take the data and use it in their own dashboards.

Another attendee, Melvin Jones, the workforce strategy branch chief at the National Oceanic and Atmospheric Administration (NOAA), said the LinkedIn Talent Insights tool may help the agency improve the targeting of its job advertising and figure out what job markets are best for certain skills.

It will also enable the agency to know how private sector firms view NOAA’s workforce, Jones said, in an interview.

“It’s good to have validation of the data and see how other people are viewing us,” Jones said. “In military terms, it’s good to see what the enemy sees.”

Teaching wasn’t really on my to-do list. My ambition was to be a financial manager once I graduated from university, but instead I followed my father’s path into teaching. And in my country, Morocco, that means consigning yourself to an isolated region for the first few years of your career. No electricity, no drinkable water, and in winter you might have to cross rivers just to get to school.

Unlike many educators around the world, one of my challenges wasn’t to integrate technology into a modern urban classroom – it was to make it work in a rural environment, where students, their parents and their siblings have never so much as touched a PC or used the internet. But even in this situation, or maybe because of it, I started to change my mind about my career. I began to like my new job. Those innocent eyes waiting for me every morning pushed me into giving everything I have to improve education for children in rural places.

My classroom didn’t have electricity. The internet and mobile signals in the area were weak, and I had to walk a five-mile round trip, six days per week, over the mountains to get to the school. Still, I believed in the power of information and communication through technology, and I tried hard to surpass any technical or logistical problems, just to take my students to another climate of learning and bring my classroom to life. Where to start?

With most students here passing their time after school (and even at dawn) herding and guarding sheep, looking for water or helping their families at shelters, school just wasn’t the biggest priority. To figure out how to reduce absence, I needed to know more about it.

First, I used Microsoft Excel as a master tool to collect and analyze absence data, with clear definitions of when dropouts were happening. I asked for the absence data archive from the principal director and combined it with what I recorded every school day. From the results I concluded the highest rate of absence was on Fridays, which coincided with the most popular day for student to play, meet friends and step out of their routine life. It was all happening at the souk, an atmospheric and vibrant marketplace full of food and furniture, toys, candy, old comic books and other goods. In trying to think of something bigger, something more exciting and more attractive to get the students to their teacher, I decided to visit the souk myself and make a plan.

I bought a second laptop and additional batteries, so I wouldn’t have to worry about losing power in the class. It was a little hard at the beginning, carry two laptops in my bag for a 5-mile round trip to get to the school, but after some weeks I got used to it.

Each Friday, a raffle would be waiting for my students at the classroom. During recess, we’d organize a draw, and the winner would have the chance to use the laptop and choose between watching cartoons, playing an educational video games, or writing on Microsoft Word.

At the beginning, I thought my students would choose to play games or watch videos when they had their chance, but I was wrong. Most of them preferred to explore Word and they became so excited when they typed in their names and some words and paragraphs.

Giving my students the opportunity to use the PC and freely connect with technology had a powerful impact on combating the absence phenomenon. My students now prefer coming to school and they’re starting to convince their parents and siblings about the importance of school and ICT (Information and Communication Technologies). More recently, we’ve been holding a “Friday Surprise” each week, where students can express themselves and develop their skills by creating handmade decorations, using the laptop to look for creative ideas, to draw, or do other things that improve communication, collaboration, presentation, creativity, problem solving, and critical thinking.

There are some other educational issues we see in the multi-grade classroom. Some multi-grade teachers may teach two grades in the same class, while others may teach three or four grades. I’m teaching six grades. The students in these grades are usually of the same age but may differ in their abilities, which means:

Planning can be time consuming.

Teachers may be frustrated due to their geographical isolation.

Physical conditions may be unattractive. Some classrooms are very small and overcrowded.

Few materials are available for multi-grade teaching.

To take this challenge on, I thought about how being a teacher in a rural area didn’t prevent me from increasing my knowledge, or developing my professional and personal skills. I tried to use the internet to get away from the isolation and be a part of the community of innovative educators. After learning about new methods and experiences all over the planet, I decided to let my students choose, by themselves, to come to school, even on special days, rather than imposing it on them. With ICT, I would rather make them eager to build knowledge. I encouraged them to try new things and never be afraid of change. That why using ICT has had a positive impact not only in my classroom, but on the whole school environment.

For me, the weak infrastructure, the absence of digital tools and unawareness of how important education is are no excuse – we can still create and think of innovative ways to make our students love coming to school.

To meet the varied needs of multi-grade students, teachers need in-depth knowledge of child development and learning and a larger repertoire of instructional strategies than most single-grade teachers possess. They must be able to design open-ended, divergent learning experiences accessible to students functioning at different levels. They must know when and how to use homogeneous and heterogeneous grouping and how to design cooperative group tasks. They must be proficient in assessing, evaluating, and recording student progress using qualitative methods.

Multi-grade teachers must be able to facilitate positive group interaction and to teach social skills and independent learning skills to individual students. They must know how to plan and work cooperatively with colleagues, as team teaching is commonly combined with multi-grade organization. Finally, they must be able to explain multi-grade practices to parents and other community members, building understanding and support for their use.

The wealth of digital tools makes it easy to create your own educational materials, and there are many advantages in doing so. As a teacher, the learning for your students is strengthened by your voice and pedagogy. The students can study at their own pace and learn at their level. These are some of my strategies:

Consider students’ needs and their knowledge differentiation, by presenting my own lesson plan.

Planning: Microsoft offers planning templates that you can customize to your requirement. You can update and reuse these when you teach the lessons again.

Record keeping: By maintaining electronic documents you can quickly access and update information, making it easier to share and cross reference.

Assessing: With Microsoft Word, Excel and PowerPoint you can design assessments with automated marking.

Coordinating and communicating: E-mail is a useful option to communicate. Microsoft Outlook offers the option of a shared calendar, which makes coordination efficient. You can use a blog or webpage that parents visit for updates.

Collaborating: Shared workspaces or collaboration tools, such as SharePoint, Skype, Skype for Business, and Office 365 make it easier to collaborate on documents and hold virtual meetings.

For me, as a primary school teacher, my love for this noble job has grown far beyond what I ever expected. I have learned that the teacher doesn’t just light up minds, but hearts as well. I learned that teaching is art and love before it’s a job. I learned that education has no borders.

Getting rid of a bit of clutter in the house, i will add more once i get into storage and do a proper clean out. All items are free all i ask is you pay postage and packaging. Please only ask for something if you need it.

Western Digital My Net Central N900 it has gigabit ethernet ports, made for cable connections or can be used as an access point. It also has a 2.5 inch sata HDD bay internally which can be used as a NAS or you can do this via the USB 2.0 port at back.

Cat 5E flat black ethernet cables1 x 15m3 x 5m

12TB Seagate Iron Wolf, just arrived from RMA. This one is brand new still sealed. £300

I have more ethernet cables but most have the clips broken but work fine, let me know if you would still like these. Ranging from 1-2m some are Cat 5e and some are Cat 6.

I’m in Sheffield if anyone would like to collect.

Delivery: Delivery cost is not includedPayment method: BT or PPGLocation: SheffieldAdvertised elsewhere?: Advertised elsewherePrefer goods collected?: I have no preference

______________________________________________________This message is automatically inserted in all classifieds forum threads.By replying to this thread you agree to abide by the trading rules detailed here.Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

Landline telephone number. Make a call to check out the area code and number are correct, too

Name and address including postcode

Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

I have a new 7 day old Oculus Rift 19/5/2018. I set it up once 23/5/2015 and did not like how it felt . Im being honest i played project cars 2 for 20 minutes and it just felt like i was in a rolercoaster and felt sick . maybe it was becuase i was tired im not sure . i have not used it since and to me being used to 4K triple screens on my rig i will stick to that for now . It was bought from Very . i did try and return but as its been used i cant send it back . i will however give the Invoice from very and which is proof of purchase.

Im not sure what happens to the games as i did not need to use any codes and they downloaded themselves with the set up software .

Price is firm . and price includes next day delivery insured .

Collected price will be £340

more photos if there interest .

Price and currency: £350 inc NEXT day delivery .Delivery: Delivery cost is included within my countryPayment method: BTLocation: DumfriesAdvertised elsewhere?: Not advertised elsewherePrefer goods collected?: I have no preference

______________________________________________________This message is automatically inserted in all classifieds forum threads.By replying to this thread you agree to abide by the trading rules detailed here.Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

Landline telephone number. Make a call to check out the area code and number are correct, too

Name and address including postcode

Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Getting rid of a bit of clutter in the house, i will add more once i get into storage and do a proper clean out. All items are free all i ask is you pay postage and packaging. Please only ask for something if you need it.

Western Digital My Net Central N900 it has gigabit ethernet ports, made for cable connections or can be used as an access point. It also has a 2.5 inch sata HDD bay internally which can be used as a NAS or you can do this via the USB 2.0 port at back.